System, method, and computer program product for comparing an object with object enumeration results to identify an anomaly that at least potentially indicates unwanted activity

US 8,613,093 B2
Filed: 08/15/2007
Issued: 12/17/2013
Est. Priority Date: 08/15/2007
Status: Active Grant

First Claim

Patent Images

1. A method for avoiding a false positive identification of an anomaly that potentially indicates unwanted activity based on an object that has been unlinked or deleted prior to identifying object enumeration results, comprising:

identifying a change in a state of the object via a filter driver of a security system, wherein the object is included in a predetermined list of objects of an operating system being monitored for object manipulation events;

determining whether the object has been unlinked or deleted;

if it is determined that the object has not been unlinked, determining whether results of an object enumeration have been identified by a kernel enumeration interface that utilizes a directory in which the object is expected to be included;

if it is determined that the results of the object enumeration have not been identified, determining repeatedly whether the object has been unlinked or deleted until the results of the object enumeration have been identified or in response to a determination that the object has been unlinked;

if the object has not been unlinked nor deleted and if the results of the object enumeration have been identified, comparing the object with results of the object enumeration;

if the object has been unlinked or deleted, preventing the comparing step;

identifying at least potentially unwanted activity based on the comparison, wherein the identifying includes identifying an anomaly associated with the object being removed from a particular list a kernel of the operating system is to utilize for the object enumeration; and

initiating an analysis of a process that requested the change in the state of the object, wherein the analysis is configured to identify a rootkit associated with the unwanted activity.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer program product are provided for comparing an object with object enumeration results to identify at least potentially unwanted activity. In use, a change in a state of an object is identified. Additionally, the object is compared with results of an object enumeration. Further, at least potentially unwanted activity is identified based on the comparison.

Citations

16 Claims

1. A method for avoiding a false positive identification of an anomaly that potentially indicates unwanted activity based on an object that has been unlinked or deleted prior to identifying object enumeration results, comprising:
- identifying a change in a state of the object via a filter driver of a security system, wherein the object is included in a predetermined list of objects of an operating system being monitored for object manipulation events;
  
  determining whether the object has been unlinked or deleted;
  
  if it is determined that the object has not been unlinked, determining whether results of an object enumeration have been identified by a kernel enumeration interface that utilizes a directory in which the object is expected to be included;
  
  if it is determined that the results of the object enumeration have not been identified, determining repeatedly whether the object has been unlinked or deleted until the results of the object enumeration have been identified or in response to a determination that the object has been unlinked;
  
  if the object has not been unlinked nor deleted and if the results of the object enumeration have been identified, comparing the object with results of the object enumeration;
  
  if the object has been unlinked or deleted, preventing the comparing step;
  
  identifying at least potentially unwanted activity based on the comparison, wherein the identifying includes identifying an anomaly associated with the object being removed from a particular list a kernel of the operating system is to utilize for the object enumeration; and
  
  initiating an analysis of a process that requested the change in the state of the object, wherein the analysis is configured to identify a rootkit associated with the unwanted activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the object includes a file.
  - 3. The method of claim 1, wherein the object includes a registry.
  - 4. The method of claim 1, wherein the state of the object is changed as a result of an object manipulation request.
  - 5. The method of claim 1, wherein the state of the object includes an open state.
  - 6. The method of claim 1, wherein the state of the object includes a write state.
  - 7. The method of claim 1, wherein the change in the state of the object is identified by monitoring at least one application program interface.
  - 8. The method of claim 1, wherein the results of the object enumeration include a list of objects.
  - 9. The method of claim 1, wherein the object is compared with the results of the object enumeration based on a policy.
  - 10. The method of claim 9, wherein the policy indicates that for each of a plurality of objects for which a state has changed, the comparison is performed randomly.
  - 11. The method of claim 9, wherein the policy indicates that for each of a plurality of objects for which a state has changed, the comparison is performed only once per run-time.
  - 12. The method of claim 1, further comprising noting the comparison as successful in cache if it is determined that the object is included in the results of the object enumeration.
  - 13. The method of claim 1, wherein the at least potentially unwanted activity is identified if it is determined that the object does not match any portion of the results of the object enumeration.

14. A computer program product embodied on a non-transitory computer readable medium for performing operations for avoiding a false positive identification of an anomaly that potentially indicates unwanted activity based on an object that has been unlinked or deleted prior to identifying object enumeration results, the operations comprising:
- identifying a change in a state of the object via a filter driver of a security system, wherein the object is included in a predetermined list of objects of an operating system being monitored for object manipulation events;
  
  determining whether the object has been unlinked or deleted;
  
  if it is determined that the object has not been unlinked, determining whether results of an object enumeration have been identified by a kernel enumeration interface that utilizes a directory in which the object is expected to be included;
  
  if it is determined that the results of the object enumeration have not been identified, determining repeatedly whether the object has been unlinked or deleted until the results of the object enumeration have been identified or in response to a determination that the object has been unlinked;
  
  if the object has not been unlinked nor deleted and if the results of the object enumeration have been identified, comparing the object with results of the object enumeration provided by a kernel enumeration interface that utilizes a directory in which the object is expected to be included;
  
  if the object has been unlinked or deleted, preventing the comparing step;
  
  identifying at least potentially unwanted activity based on the comparison, wherein the identifying includes identifying an anomaly associated with the object being removed from a particular list a kernel of the operating system is to utilize for the object enumeration; and
  
  initiating an analysis of a process that requested the change in the state of the object, wherein the analysis is configured to identify a rootkit associated with the unwanted activity.

15. A system for avoiding a false positive identification of an anomaly that potentially indicates unwanted activity based on an object that has been unlinked or deleted prior to identifying object enumeration results, the system comprising:
- a processor, wherein the system is configured for;
  
  identifying a change in a state of the object via a filter driver of a security system, wherein the object is included in a predetermined list of objects of an operating system being monitored for object manipulation events;
  
  determining whether the object has been unlinked or deleted;
  
  if it is determined that the object has not been unlinked, determining whether results of an object enumeration have been identified by a kernel enumeration interface that utilizes a directory in which the object is expected to be included;
  
  if it is determined that the results of the object enumeration have not been identified, determining repeatedly whether the object has been unlinked or deleted until the results of the object enumeration have been identified or in response to a determination that the object has been unlinked;
  
  if the object has not been unlinked nor deleted and if the results of the object enumeration have been identified, comparing the object with results of the object enumeration;
  
  if the object has been unlinked or deleted, preventing the comparing step;
  
  identifying at least potentially unwanted activity based on the comparison, wherein the identifying includes identifying an anomaly associated with the object being removed from a particular list a kernel of the operating system is to utilize for the object enumeration; and
  
  initiating an analysis of a process that requested the change in the state of the object, wherein the analysis is configured to identify a rootkit associated with the unwanted activity.
- View Dependent Claims (16)
- - 16. The system of claim 15, wherein the processor is coupled to memory via a bus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Camp, Tracy E.
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
Traore, Fatoumata

Application Number

US11/839,225
Publication Number

US 20130247180A1
Time in Patent Office

2,316 Days
Field of Search

None
US Class Current

726/24
CPC Class Codes

G06F 21/565 by checking file integrity

G06F 21/577 Assessing vulnerabilities a...

System, method, and computer program product for comparing an object with object enumeration results to identify an anomaly that at least potentially indicates unwanted activity

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System, method, and computer program product for comparing an object with object enumeration results to identify an anomaly that at least potentially indicates unwanted activity

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links